Hackers withdraw millions in hit on world's ATMs

Hackers withdraw millions in hit on world's ATMs

New York: It was a huge bank heist - but a 21st-century version in
which the robbers never wore ski masks, threatened a teller or set foot
in a vault.
Yet, in two precision operations that involved operatives in
more than two dozen countries acting in close co-ordination and with
surgical precision, the organisation was able to steal $US45 million
from thousands of ATMs in a matter of hours.
In New York City alone, a team of eight people struck 2904 machines over 10 hours on February 19, withdrawing $US2.4 million.
On Thursday, federal prosecutors in Brooklyn unsealed an
indictment charging eight members of the New York crew - including their
suspected ringleader, who was found dead in the Dominican Republic on
April 27 - offering a glimpse into what the authorities said was one of
the most sophisticated and effective cybercrime attacks ever uncovered.
''In the place of guns and masks, this cybercrime organisation used
laptops and the internet,'' said Loretta Lynch, the US attorney in
Brooklyn. ''Moving as swiftly as data over the internet, the
organisation worked its way from the computer systems of international
corporations to the streets of New York City, with the defendants
fanning out across Manhattan to steal millions of dollars from hundreds
of ATMs in a matter of hours.''
The indictment outlined how they were able to steal data from
banks, relay that information to a far-flung network of ''cashing
crews'', then launder the stolen money by buying high-end luxury items
such as Rolex watches and expensive cars.
In the first robbery, hackers were able to infiltrate the
system of an unnamed Indian credit-card processing company that handles
Visa and MasterCard prepaid debit cards.
The hackers, who were not named in the indictment, proceeded
to raise the withdrawal limits on prepaid MasterCard debit accounts
issued by the National Bank of Ras Al-Khaimah, also known as Rakbank,
which is based in the United Arab Emirates.
By eliminating the withdrawal limits, ''even a few
compromised bank account numbers can result in tremendous financial loss
to the victim financial institution'', the indictment said.
With five account numbers in hand, the hackers distributed
the information to individuals in 20 countries who then encoded the
information on magnetic stripe cards.
On December 21, the ''cashing crews'' made 4500 ATM
transactions worldwide, stealing $US5 million, according to the
indictment. But that robbery was just a prelude for what prosecutors
said was a more brazen crime two months later.
On February 19, cashing crews stood at the ready at ATMs
across Manhattan and in two dozen other countries waiting for word to
spring into action.
This time, the hackers infiltrated a credit card processing
company based in the US that also handles Visa and MasterCard prepaid
debit cards. The company's name was not revealed in the indictment.
After securing 12 account numbers for cards issued by the
Bank of Muscat in Oman and raising the withdrawal limits, the cashing
crews were set in motion. Starting at 3pm, the crews made 36,000
withdrawls totalling about $US40 million from machines in the various
countries in about 10 hours.
Surveillance photos of one suspect hitting various ATMs showed the man's backpack getting heavier and heavier, Ms Lynch said.
The authorities said the leader of the New York cashing crew
was Alberto Lajud-Pena, 23, who also went by the name Prime. His body
was found in the Dominican Republic on April 27 and prosecutors said
they believed he was killed.
Seven other people were charged with conspiracy to commit
''access device fraud'' and money laundering. The prosecutors said they
were all US citizens.